ENISA Issues Guidelines on Cryptographic Solutions

The European Union Agency for Network and Information Security (ENISA) has released two reports that aim to inform and guide decision makers in the public and private sector on the use and implementation of cryptographic protocols for securing personal data.

As a result of the numerous data breaches that took place in the past period and the recent government spying revelations, the European Union is increasingly focusing on personal data protection.

Last year, ENISA, which is referenced as a consultative body in the European Commission's data breach notification rules, released a cryptographic guidelines report on securing personal data online. The new reports made available last week, "Algorithms, key size and parameters" and "Study on cryptographic protocols" build upon the 2013 study.

The first report is a technical document designed to help those who design and implement cryptographic solutions for commercial organizations. Compared to the previous report on cryptographic protocols, this new study also includes information on side-channels, random number generation, and key life cycle management. The report analyzes cryptographic primitives and schemes and attempts to assess whether or not they are suitable for use today and in the future.

The second report is designed to help decision makers in governments and corporations when it comes to choosing the types of protocols they use for protecting personal data. According to ENISA, the main problem with many cryptographic protocols is that they were created many years ago.

"Thus cryptographic protocols suffer more from legacy issues than the underlying cryptographic components. The goal should be to work towards a better cryptographic protocol infrastructure which does not exhibit such problems," the report reads.

The list of recommendations for researchers and organizations includes the development of cryptographic and security protocols by cryptography experts rather than networking and protocols experts, and the creation of automated tools that can be used to verify the implementation of a protocol to ensure it meets security requirements. ENISA also advises against the "optimization" of well-known protocols for achieving specific application needs since even minor changes can have a negative impact on security.

"What is highlighted is the need for certification schemes in all phases of the technological life-cycle. ’Security by design or by default’ built in processes and products, are basic principles for trust," said Udo Helmbrecht, ENISA's executive director. "Standardising the process is an essential element in ensuring the correct application of the data protection reform in the service of EU’s citizens and its internal market. ENISA’s guidelines strive to provide the correct framework in securing online systems."

Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.